Skip to content

{ Category Archives } Paper

New Whitepaper: JBoss AS – Deploying WARs with the DeploymentFileRepository MBean

We released a new JBoss security whitepaper with the title “JBoss Application Server – Deploying WARs with the DeploymentFileRepository MBean” today. It explains how to deploy WAR files with the DeploymentFileRepository MBean and how this is even possible with Cross Site Request Forgery (CSRF). The paper is available at
http://www.redteam-pentesting.de/publications/jboss
This new informational page also contains the [...]

Tagged , , , , ,
2010 06 15 phof Comments (0)

Scanning JBoss AS for open Invokers

Apparently, the guys at Acunetix were tired of examining their JBoss Application Servers manually for vulnerabilities. In their Web Vulnerability Scanner from Version 6.5 build 20091215 on, they integrated various checks for the stuff from our JBoss paper.
To give you a little reminder: Always check for

http://www.example.com/jmx-console
http://www.example.com/web-console
http://www.example.com/web-console/Invoker
http://www.example.com/invoker/JMXInvokerServlet

and any open JBoss Remoting / RMI ports. See the [...]

Tagged , , , ,
2010 02 03 phof Hacking Comments (1)

JBoss Paper: English version released

We finally came around to translate and release the 27+ pages of our JBoss paper (see also this post). That was quite some work, the first versions of my translations always read like a one-to-one translation from German. Then I read it again and correct those horribly sounding sentences to what I hope is [...]

Tagged , ,
2009 12 01 phof Hacking Comments (1)